Eric,
I found 2 articles on the CP SecureKnowledge pages but was unable to resolve this for myself :-(
One is specific to Solaris re: The default timeout for TCP Check-Alive being higher than the FW1 TCP timeout.
The other solution is as follows:
Solution: NAT works intermittently. Periodical Snoops show that invalid addresses sometimes reach the Internet (36.0.476006.2482649)
Do not install a Layer 3 switch between the internal network and the internal interface of FireWall-1.
Problem Description
NAT works intermittently. Periodical Snoops show that invalid addresses sometimes reach the Internet
See the problem environment.
Cause of this problem:
In this configuration the Layer 3 compatible switch will direct traffic to either the internal interface of FireWall-1 OR directly to the external router. This explains the intermittent NAT operation
Changes affecting this problem:
A Layer 3 switch installed between the internal interface of FireWall-1 and the internal network. The switch also has a direct route to an external router.
HTH
Marc
| Eric Trolan <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 07/22/00 01:23 AM
|
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: [FW1] Hide NAT and original addresses leaking through? |
Hi All,
I recently put some access lists on our Internet router to drop RFC 1918 addresses. Internally we use 172.19.x.x. I was surprised to see packets getting dropped from our internal network on the router since everyone going through the firewall should be NATed to the legal address 63.169.12.6. I experienced this on FW 4.0 and now on FW 4.1, both for NT.
Anyone have any idea why some of my internal network addresses are not being completely NATed when going to the outside world? Anyone know of other information that may be leaking through the firewall.
Any help or ideas are appreciated.
Regards
Eric
